This repository provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the repository seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation.
Forensic artifacts on the Windows operatying system can generally be split into four main categories:
Registry artifacts are found in the Windows registry, which is loaded into memory while a system is in operation and written to disk during shutdown. The registry stores low-level configuration settings for the operating system and contains a wealth of forensic artifacts of interest to an analyst.
Filesystem artifacts are artifacts that arise due to the operation of Windows' filesystem - NTFS (New Technology File System).
Event log artifacts are found in the Windows event log and consist primarily of audit logs from the operating system and its applications.
Memory artifacts are those artifacts found in the endpoint's memory while it is operational. These artifacts must be collected from a live system, and are generally not applicable to dead disk forensics with certain exceptions such as page files and hibernation files that consist of memory that has been written to the disk.
A complete forensic analysis of a Windows endpoint will consist of one or all of these artifacts. They may be collected and parsed individually at the analyst's discretion, or consolidated into "super timelines" with forensic software such as log2timeline.
This guide was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual/shared datapoints.
For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at 4624 Login events and pull the Logon ID
from this artifact. This guide provides a list of every artifact that has the Logon ID
field present, providing a quick way to correlate logon activity with other activity on the endpoint filed under the section Logon ID.
As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when the file was created, or when it was first executed. What about determining what Logon ID is associated with the execution with 4688 events?
Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so.
The forensic artifacts described in this repository are split into the following categories:
Execution artifacts may provide the following information:
What command line was used to spawn this process?
When was this executable furst run?
When was the last time this executable was run?
What permissions does the process have? What account launced the process?
How did this process come to be? What spawned this process? Is the ProcessID available?
When was this process spawned?
Was a process spawned?
Account activity artifacts may provide the following information:
When was this account created?
What groups is the account a member of?
When did this account last log in?
Identification of specific instances of account logins
Certain activity can be tied to login sessions by means of a
Logon ID
What is the account's Relative Identifier?
What is the account's Security Identifier?
Determining the username attached to a particular SID, or artifacts where you would expect to find a username
File activity artifacts may provide the following information:
When was the file created?
When was the file deleted?
What is the hash of this file?
When was the file last modified?
Where did the file come from?
Where is the file located?
What is the file's size on disk?
Network activity artifacts may provide the following information:
Is there evidence of network activity?
Can the destination for this activity be identified?
Can the source of this activity be identified?
Can the amount of data sent or received be determined?
Artifacts supporting general forensic analysis for browser activity on an endpoint
Artifacts supporting general forensic analysis of events pertaining to the Windows Firewall
Artifacts providing evidence of wireless network activity
Network activity artifacts may provide the following information:
These miscellaneous artifacts may provide an analyst information regarding certain actions that a user took on a system.
These miscellaneous artifacts may provide an analyst information regarding Group Policy Object (GPO) activity on an Active Directory domain.
These artifacts may be leveraged by an analyst to enumerate information from an endpoint that may prove useful during an investigation. While some of these artifacts may not necessarily be looked at for evidence of activity, they may be analyzed to obtain information important to an investigation.
Arifact | Information |
---|---|
Select | CurrentControlSet |
CurrentVersion | OS VersionInstallation Timestamp |
TimeZoneInformation | System Time Zone |
ComputerName | System Name |
Interfaces | IP configuration |
Network Cards | Network Adapter Enumeration |
Group Membership Registry Key | Local account group membership enumeration |
Additionally, these artifacts may be roughly mapped to the MITRE ATT&CK framework to perform analysis on a behavioral basis:
The below artifacts are related to execution. Execution is defined by MITRE as:
...techniques that result in adversary-controlled code running on a local or remote system.
The below artifacts may prove useful in identifying instances of execution on an endpoint:
Arifact Type | Artifact |
---|---|
Filesystem | Prefetch |
Eventlog | Security/4688: A new process has been created |
Registry/Memory | ShimCache |
Registry | AmCache.hve |
Filesystem | Scheduled Task Files |
Eventlog | TaskScheduler/Operational Log |
Registry/Filesystem | SRUM Database |
Filesystem | Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt |
Registry | Background Activity Montitor |
Filesystem | Detection History Files |
Filesystem | Program Compatibility Assistant (PCA) - PcaAppLaunchDic.txt |
Registry | Tracing Registry Keys |
Eventlog | Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started |
Filesystem | AutomaticDestinations Jumplists |
Filesystem | Windows Error Reporting Files (.WER) |
The below artifacts are related to persistence activities. Persistence is defined by MITRE as:
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
The below artifacts may prove useful in identifying instances of persistence on an endpoint:
Arifact Type | Artifact |
---|---|
Registry | Run/RunOnce Keys |
Eventlog | TaskScheduler/Operational Log |
Filesystem | Scheduled Task Files |
Eventlog | Security/4720: A user account was created |
Eventlog | WMI-Activity/Operational/5861: New WMI Event Consumer |
Registry | Image File Execution Options |
Eventlog | Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started |
Registry | Services Registry Keys |
Eventlog | Security/7045: Service Installed |
Registry | Image File Execution Options |
Eventlog | Microsoft-Windows-Shell-Core/Operational/9707: Command Execution Started |
The below artifacts are related to lateral movement activities. Lateral movement is defined by MITRE as:
techniques that adversaries use to enter and control remote systems on a network.
The below artifacts may prove useful in identifying instances of lateral movement to or from an endpoint: